That's not "http access" to SSH. That's the SSH protocol banner. Since your browser can't negotiate SSH it represents the data as best it can, by simply displaying it. That's just how it works. Get over it.
–
bahamatAug 2 '12 at 17:53

6 Answers
6

This is not something you can prevent with iptables, which doesn't examine the content of the traffic passing over the network. You could do what you want with an Application Firewall, but that might be overkill for your problem.

I would suggest that consider whether you really care so much about this issue to bother with all the extra effort of installing and configuring an application firewall. The effort might be better spent going through the options in the sshd_config file to ensure you have configured it as securely as you wish.

By design, any application can connect to any IP port. Once the connection is established things then go up to the application level to communicate with each other. Direct port access is at a lower level than SSH. Port access is at the IP level, SSH is at the application level. Port connections are established before SSH is even a part of the picture. Once the port connection is established then SSH is able to start doing its thing.

You need an application level protocol analyzer to intercept connections on the port in order to do what you're thinking. That analyzer needs to be able to read connections on the port, look at the application level protocol involved, then block the connection based on what application level protocol is in use. I'm not an iptables expert, but I don't think that it can do this level of filtering. You probably need a more advanced firewall product to do this. (Someone can correct me if I'm wrong on that).

If I understand your question correctly... you've configured your ssh server to listen on port 80. HTTP traffic is typically done over port 80. When using a web-browser to connect to that box... you see the initial data sent by the ssh server.

If this is the case, there is nothing you can do with iptables to "block" web-browsers and only accept ssh clients. You either leave the port open... or you don't.

You are first making a TCP connection (level 4). Once that happens, the applications (server and client) start talking to establish their communications. The server says SSH-2.0-OpenSSH_5.3, 220 mail.example.com ESMTP Postfix or whatever is appropriate to the protocol, and waits for the client. The client either recognizes what the server is (in which case they start communicating), or it bails out with a protocol mismatch (e.g., Firefox says that it can't connect). You can't really keep the banner from displaying after TCP establishes.

If you want to "block direct port access", you'll have to block it below the application level, perhaps with a firewall rule that prevents all connections to that port except for a whitelisted IP address.